Source\Destination | External | Apps | System Components |
---|---|---|---|
External | N/A | Operator provides wildcard certs to Ingress Gateway / Gateway to backend uses Istio Auto mTLS/sidecars/etc... | Operator provides wildcard certs for the system domain to Ingress Gateway. Gateway to backend uses Istio Auto mTLS/sidecars/etc... |
Apps | Mesh can be leveraged with Istio Destination Rules and Service Entries. Istio defaults to PERMISSIVE egress https://istio.io/docs/tasks/traffic-management/egress/egress-control/ | Istio Auto mTLS / Global Mesh Policy to require strict mTLS / Istio auto injection of sidecars / Should default deny app-to-app traffic | Istio Auto mTLSGlobal / Mesh Policy to require strict mTLS / Istio auto injection of sidecars |
System Components | CAs for external destinations can be added to trust store via mounts. Probably configured in component YAML / RelInt artifact | Platform-managed Prometheus might scrape apps /metrics endpoint. This can use mTLS with Istio Auto mTLS/sidecars/etc. |
Istio Auto mTLS / Global Mesh Policy to require strict mTLS / Istio auto injection of sidecars / Should default deny app-to-app traffic / Note: We should investigate turning on encrypted Istio component traffic. |
Last active
December 8, 2020 20:26
-
-
Save tcdowney/20673e34ab335f60f5a9922cfe5292ae to your computer and use it in GitHub Desktop.
cf4k8s TLS matrix
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment